Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage

profil-zyak-2012 - Bruno Blanchet

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

15 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Niveau: Supérieur, Doctorat, Bac+8
Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage Bruno Blanchet CNRS, Ecole Normale Superieure, INRIA? Avik Chaudhuri University of California at Santa Cruz Abstract We study formal security properties of a state-of-the-art protocol for secure file sharing on untrusted storage, in the automatic protocol verifier ProVerif. As far as we know, this is the first automated formal analysis of a secure stor- age protocol. The protocol, designed as the basis for the file system Plutus, features a number of interesting schemes like lazy revocation and key rotation. These schemes im- prove the protocol's performance, but complicate its secu- rity properties. Our analysis clarifies several ambiguities in the design and reveals some unknown attacks on the pro- tocol. We propose corrections, and prove precise security guarantees for the corrected protocol. 1. Introduction Much research in recent years has focused on the secu- rity analysis of communication protocols. In some cases, attacks have been found on old, seemingly robust proto- cols, and these protocols have been corrected [23, 33, 40]; in other cases, the security guarantees of those protocols have been found to be misunderstood, and they have been clari- fied and sometimes even formalized and proved [4, 33, 37].

when

security properties

storage

file system

has focused

event has

proverif

access control

ac- cess control

lockbox key

Sujets

Blanchet

Storage

File system

ProVerif

Access control

Informations

Publié par	profil-zyak-2012
Nombre de lectures	17
Langue	English

Extrait

AutomatedFormalAnalysisofaProtocolforSecureFileSharingonUntrustedStorageBrunoBlanchetAvikChaudhuriCNRS,E´coleNormaleSupe´rieure,INRIA∗UniversityofCaliforniaatSantaCruzblanchet@di.ens.fravik@cs.ucsc.eduAbstractWestudyformalsecuritypropertiesofastate-of-the-artprotocolforsecureﬁlesharingonuntrustedstorage,intheautomaticprotocolveriﬁerProVerif.Asfarasweknow,thisistheﬁrstautomatedformalanalysisofasecurestor-ageprotocol.Theprotocol,designedasthebasisfortheﬁlesystemPlutus,featuresanumberofinterestingschemeslikelazyrevocationandkeyrotation.Theseschemesim-provetheprotocol’sperformance,butcomplicateitssecu-rityproperties.Ouranalysisclariﬁesseveralambiguitiesinthedesignandrevealssomeunknownattacksonthepro-tocol.Weproposecorrections,andproveprecisesecurityguaranteesforthecorrectedprotocol.1.IntroductionMuchresearchinrecentyearshasfocusedonthesecu-rityanalysisofcommunicationprotocols.Insomecases,attackshavebeenfoundonold,seeminglyrobustproto-cols,andtheseprotocolshavebeencorrected[23,33,40];inothercases,thesecurityguaranteesofthoseprotocolshavebeenfoundtobemisunderstood,andtheyhavebeenclari-ﬁedandsometimesevenformalizedandproved[4,33,37].Moregenerally,thislineofworkhasunderlinedthedifﬁ-cultyofdesigningsecurecommunicationprotocols,andtheimportanceofverifyingtheirprecisesecurityproperties.Whileprotocolsforsecurecommunicationhavebeenstudiedindepth,protocolsforsecurestoragehavereceivedfarlessattention.Someoftheseprotocolsrelyonsecurecommunication,andweexpecttheusualtechniquesforse-curecommunicationtoapplytosuchprotocolsaswell.Butsomedistinctivefeaturesofstorageposeproblemsforse-curitythatseemtogobeyondthosestudiedinthecon-textofcommunicationprotocols.Perhapsthemoststrik-ingofthesefeaturesisdynamicaccesscontrol.Indeed,∗BrunoBlanchet’sworkhasbeendonewithintheINRIAABSTRAC-TIONproject-team(commonwiththeCNRSandtheE´NS).whilemoststoragesystemsfeaturedynamicaccesscontrolinsomeform,itsconsequencesonmoreabstractsecuritypropertieslikesecrecyandintegrityareseldomevaluatedindetail.Inthispaper,weshowthatprotocolsforsecurestor-ageareworthanalyzing,andstudyaninterestingexample.Speciﬁcally,weanalyzeastate-of-the-artﬁle-sharingproto-colthatexploitscryptographictechniquesforsecurestorageonanuntrustedserver.TheprotocolisthebasisfortheﬁlesystemPlutus[32].Thissettingisinterestingforseveralreasons.First,compromiseofstorageserversisareason-ablycommonthreattoday,anditisprudentnottotrustsuchserversforsecurity[34].Next,theprotocolwestudyhasaverytypicaldesignforsecureﬁlesharingonuntrustedstor-age,wheredataisstoredencryptedandsigned,andkeysforencrypting,signing,verifying,anddecryptingsuchdataaremanagedbyusers.Severalﬁlesystemsfollowthisbasicdesign,includingSNAD[35],SiRiUS[28],andothercryp-tographicﬁlesystemssincethe1990s[15].Finally,beyondthebasicdesign,theprotocolfeaturessomepromisingnewschemeslikelazyrevocationandkeyrotationthatimprovetheprotocol’sperformanceinthepresenceofdynamicac-cesscontrol,butinturncomplicateitssecurityproperties.Thesefeaturesareworthyofstudy.Forinstance,ouranaly-sisrevealsthatlazyrevocationallowsmorepreciseintegrityguaranteesthanthenaı¨veschemein[28].Withlazyrevo-cation,ifanuntrustedwriterisrevoked,readerscandis-tinguishcontentsthatarewrittenaftertherevocationfrompreviouscontentsthatmayhavebeenwrittenbythatwriter;consequently,theycantrusttheformercontentseveniftheydonottrustthelattercontents.Onadifferentnote,thecom-putationalsecurityofkeyrotationschemeshasgeneratedalotofinterestrecently[6,7,26].Ouranalysisrevealssomenewintegrityvulnerabilitiesintheprotocolthatcanbeex-ploitedevenifthekeyrotationschemeissecure.Formaltechniquesplayasigniﬁcantroleinouranalysis.WemodeltheprotocolandverifyitssecuritypropertiesintheautomaticprotocolveriﬁerProVerif.ProVerifisbasedonsolidformalfoundationsthatincludetheoryfortheap-pliedpicalculusandprooftheoryforﬁrst-orderlogic.The